The Dutch Data Protection Authority (DPA) announced a 290-million-euro ($324 million) fine against ride-hailing app Uber for transferring personal data of European drivers to US servers. The DPA deemed these transfers a “serious violation” of the European Union’s General Data Protection Regulation (GDPR), citing insufficient protection of driver information.
“Uber did not meet the GDPR requirements to ensure adequate protection of data transferred to the US. This is very serious,” stated Aleid Wolfsen, DPA chairman.
The DPA highlighted that Uber collected sensitive information from European drivers, including taxi licenses, location data, photos, payment details, identity documents, and in some cases, even criminal and medical data. This data was transferred to Uber’s US headquarters over a two-year period without using proper transfer tools.
“Due to this, the protection of personal data was inadequate,” the DPA stated.
Uber has announced plans to appeal the fine. “This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson said. “Uber’s cross-border data transfer process complied with GDPR during a 3-year period of significant uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
